Learning from the MOVEit attacks: What to know and what to do

MOVEit attacks

In the final days of May 2023, customers of Progress Software’s MOVEit file transfer platform began experiencing compromises, and these compromises started making the news in a very big way. Significant amounts of data were exfiltrated by the attackers, and victims were then extorted regarding the public release of their data. Patches have been made available for known vulnerabilities, however, this compromise event is far from over.

The MOVEit attacks have capitalized on at least one previously unknown zero day vulnerability, meaning that even if customers were vigilant about patching, they were still vulnerable – and quite possibly compromised – during the time between the vulnerability’s discovery and when the patches were released and applied. Additional vulnerabilities have been discovered, and patches issues by Progress. 

These attacks have been attributed to Cl0p, a Russian-speaking cybercrime group that has a long history of ransomware extortion. As of time of writing a senior US CISA official has stated that they do not believe these attacks are being coordinated by the Russian government, despite multiple government agencies in multiple countries having fallen victim.

Why MOVEit?

MOVEit is not the first file transfer platform to be exploited. Bleeping Computer notes that there have been “similar attacks in the past using zero day vulnerabilities in Accellion FTA, GoAnywhere MFT, and SolarWinds Serv-U”. While we can’t know the motivations of threat actors with certainty, file transfer applications make sense as targets for a number of reasons.

File transfer applications tend to be developed by smaller vendors, and there is a persistent perception that smaller vendors are less capable when it comes to application security. File transfer applications also tend to be deployed by organizations rather than individuals, increasing the likelihood that victims will have the resources to pay. Finally, and perhaps most important, these applications hold data. Lots of data.

All of this means that file transfer applications make for an attractive target, and will almost certainly be targeted again.

So what can be done about this? File transfer is necessity, but how can you better protect the data that is routed through these platforms?

Protecting against the unknown

Let’s start discussing defences with some generic “how to protect against zero days” advice.

While all of this advice is somewhat generic – how do you protect everything against every possible unknown attack is a rather broad topic space – advice on how to defend file transfer applications specifically is something we can get more granular with.

Defending your file transfer platforms

File transfer applications typically come with the ability to restrict access based on user credentials. It is important to have individual credentials for each user, and to restrict each user’s access as much as possible to only that which they absolutely must have access. While this won’t protect you from zero day attacks directly, it can help detect when some kinds of attacks are occurring. So let’s look at some broad categories of zero day attacks you might see with a file transfer application.

Your defences begin by restricting the privileges under which the file transfer application executes. If possible, don’t run that application with administrator-level privileges. If you can lock it up in its own container or virtual machine, do that. If it can be on a completely isolated network that’s even better. Under no circumstances should your file transfer application have access to even one file that is not absolutely required for it to do its job.

Here, knowing something about how your file transfer application is actually used by your customers can help. Consider the use case wherein your file transfer application is used exclusively for customers to upload files to you. In this case have a script that runs in the background and scans for when files are done uploading. As soon as they’re done move that file off of the file transfer server and over to a storage location the file transfer server can’t access. That way, if the file transfer application is ever compromised by a zero day that allows for arbitrary code execution that code can’t access any data.

If you do need to make data available to your users through the file transfer application then consider whether or not you can at least make it read only to any credentials that could possibly be used by a malicious application executing on the file transfer server. This way you have at least narrowed the potential scope of the problem to “attackers may have seen data”, and aren’t dealing with “attackers may have modified and/or deleted data”.

Parting thoughts

Defending file transfer applications from zero day vulnerabilities really boils down to the principle of least privilege. Make sure everything connected to your network can only talk to what it absolutely needs to talk to, and that everything possible has EDR installed. If you absolutely must provide some level of persistent privileged access, then if at all possible require your users to use a VPN in order to access your file transfer services.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Any data that is exposed to the internet, even if protected by an application, is at risk of finding its way onto the internet. The more defences you have, the longer you’re likely to be able to keep that data secure. Logfile analysis and vulnerability scanners can help tell you when the data is no longer secure. But nothing beats making as little data as possible available for as short a period of time as is absolutely necessary in terms of reducing your risk.

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next